Mir

Merge lp:~kgunn72/mir/snappy-packaging-with-secprofile into lp:~mir-team/mir/snappy-packaging

  1. snappy-packaging-with-secprofile
  2. Merge into snappy-packaging
Proposed by kevin gunn on 2015-07-28
Status: Work in progress
Proposed branch: lp:~kgunn72/mir/snappy-packaging-with-secprofile
Merge into: lp:~mir-team/mir/snappy-packaging
Diff against target: 999 lines (+932/-2)
8 files modified
Makefile (+1/-1)
overlay/meta/framework-policy/apparmor/policygroups/client (+6/-0)
overlay/meta/framework-policy/seccomp/policygroups/client (+1/-0)
overlay/meta/mir.apparmor (+74/-0)
overlay/meta/mir.seccomp (+403/-0)
overlay/meta/mirdemosvr.apparmor (+45/-0)
overlay/meta/mirdemosvr.seccomp (+393/-0)
overlay/meta/package.yaml (+9/-1)
To merge this branch: bzr merge lp:~kgunn72/mir/snappy-packaging-with-secprofile
Reviewer Review Type Date Requested Status
Jamie Strandboge (community) 2015-07-28 Needs Fixing on 2015-07-31
Mir development team 2015-07-28 Pending
Review via email: mp+266111@code.launchpad.net

Commit Message

first draft additions to confine the mir snap and client

Description of the Change

first draft additions to confine the mir snap and client
used the Qt clock reference app as the means to exercise the mir operation, which my not be exhaustive and other client applications may need to look for AA denials or bad sys calls during debug.

To post a comment you must log in.
Jamie Strandboge (jdstrand) wrote :

Things are really coming along! Most of my comments are inline, however I did want to mention that in looking at the mir_demo_server packaging and security policy, I think you can simplify things and have mir_demo_server simply use the default security policy with the @PACKAGE@_client cap. Ie, update the yaml to be:

binaries:
  - name: mir_demo_server
    exec: debs/usr/bin/mir_demo_server
    caps:
      - network-client
      - @PACKAGE@_client

Then do:
$ rm -f overlay/meta/mirdemosvr.apparmor overlay/meta/mirdemosvr.seccomp

Note: framework binaries and services may reference the framework-policy from this snap.

review: Needs Fixing
Reply
Chris Halse Rogers (raof) wrote :

Commented about AUTH_ADMIN requirement. I don't think we actually need chown in the regular case, and the option which *does* need it probably shouldn't be allowed system-wide.

Reply
Daniel van Vugt (vanvugt) wrote :

I think this proposal has stagnated because ~mir-team isn't familiar with any of this.

I say just land it. If anyone on ~mir-team does have a clue about what they're modifying in these areas, they can probably just commit directly to the snappy-packaging branch. Doing a merge proposal seems counter-productive at this early stage of Snappy.

Reply
kevin gunn (kgunn72) wrote :

true on the stagnation, as I did the snappy confinement work but I need help with some of the comments as my technical depth isn't deep enough.

But please don't land it, the point of the MP was to capture security team feeback on the snappy confinement.

Reply
Kevin DuBois (kdub) wrote :

I suppose lets move to work-in-progress then?

Reply
kevin gunn (kgunn72) wrote :

OK, based on the current changes in snappy this is now strictly historical.
All security policy is going to be defined by the system for the "display-server" capability which is based on the confinement work done here, this is happening b/c snappy is deprecating the concept of a framework that provides it's own security policy.

Reply

Unmerged revisions

26. By kevin gunn on 2015-07-28

final seccomp change

25. By kevin gunn on 2015-07-28

seccomp updates for demo of clock app

24. By kevin gunn on 2015-07-24

seccomp profile changes, mir launches

23. By kevin gunn on 2015-07-24

final aa profile changes, clock example launches

22. By kevin gunn on 2015-07-22

apparmor profile updates, mir launching

21. By kevin gunn on 2015-07-14

update more aa profile

20. By kevin gunn on 2015-07-14

update from trunk

19. By kevin gunn on 2015-07-14

update apparmor and seccomp files for mir & better server script

18. By kevin gunn on 2015-06-18

mir-comp sec prof updates and add mir-demo-server files

17. By kevin gunn on 2015-06-16

first adds of security profile

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile'
2--- Makefile 2015-06-19 06:20:48 +0000
3+++ Makefile 2015-07-28 14:59:40 +0000
4@@ -15,7 +15,7 @@
5 # You should have received a copy of the GNU General Public License
6 # along with this program. If not, see <http://www.gnu.org/licenses/>.
7
8-SNAPVER:=1
9+SNAPVER:=1.1
10 VERSION="$(shell apt-cache policy mir-demos | grep '^ \*\*\* ' | cut -c1-7,10-17 --complement | cut -d' ' -f3)snap${SNAPVER}"
11
12 all: snap
13
14=== modified file 'overlay/meta/framework-policy/apparmor/policygroups/client'
15--- overlay/meta/framework-policy/apparmor/policygroups/client 2015-07-09 21:58:15 +0000
16+++ overlay/meta/framework-policy/apparmor/policygroups/client 2015-07-28 14:59:40 +0000
17@@ -8,9 +8,13 @@
18 @{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/ r,
19 @{CLICK_DIR}/@PACKAGE@/*/debs/usr/lib/*/mir/client-platform/* r,
20
21+capability chown,
22+capability fowner,
23+
24 # Socket to talk on
25 /run/mir_socket rw,
26 unix (connect, send, receive) peer=(label=@PACKAGE@_system-compositor_@VERSION@),
27+#unix (receive, send) type=seqpacket addr=none,
28
29 # For non-opengl apps
30 # https://www.kernel.org/doc/gorman/html/understand/understand015.html
31@@ -29,3 +33,5 @@
32
33 # FIXME: this is too lenient, please adjust for specific accesses
34 /sys/devices/*/*/*/uevent r,
35+
36+/usr/share/applications/ r,
37
38=== modified file 'overlay/meta/framework-policy/seccomp/policygroups/client'
39--- overlay/meta/framework-policy/seccomp/policygroups/client 2015-07-09 21:58:15 +0000
40+++ overlay/meta/framework-policy/seccomp/policygroups/client 2015-07-28 14:59:40 +0000
41@@ -3,3 +3,4 @@
42
43 # needed to connect to mir
44 socketpair
45+lchown
46\ No newline at end of file
47
48=== added file 'overlay/meta/mir.apparmor'
49--- overlay/meta/mir.apparmor 1970-01-01 00:00:00 +0000
50+++ overlay/meta/mir.apparmor 2015-07-28 14:59:40 +0000
51@@ -0,0 +1,74 @@
52+# Description: mir-compositor apparmor security profile
53+# Usage: Mir
54+
55+#include <tunables/global>
56+
57+# Specified profile variables
58+###VAR###
59+
60+###PROFILEATTACH### (attach_disconnected) {
61+ #include <abstractions/base>
62+ #include <abstractions/nameservice>
63+
64+capability dac_override,
65+capability sys_tty_config,
66+capability sys_admin,
67+
68+ # Read-only for the install directory
69+ @{CLICK_DIR}/@{APP_PKGNAME}/ r,
70+ @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
71+ @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
72+
73+ # Writable home area
74+ owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/ rw,
75+ owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/** mrwklix,
76+
77+ # Read-only system area for other versions
78+ /var/lib/apps/@{APP_PKGNAME}/ r,
79+ /var/lib/apps/@{APP_PKGNAME}/** mrkix,
80+
81+ # Writable system area only for this version.
82+ /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
83+ /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
84+
85+# ... specialized confinement ...
86+# Socket to talk on
87+/run/mir_socket rw,
88+unix (receive, send) type=seqpacket addr=none,
89+
90+# Hardware acceleration
91+/dev/dri/card0 rw,
92+
93+# For non-opengl apps
94+/dev/shm/\#* rw,
95+
96+# udev
97+/sys/devices/**/uevent r,
98+/sys/devices/**/ r,
99+/dev/input/* rw,
100+/dev/tty* wr,
101+/run/udev/data/* r,
102+
103+ptrace peer=**,
104+/bin/dash mrix,
105+/bin/sleep mrix,
106+/bin/pidof mrix,
107+/bin/sed mrix,
108+/bin/cp mrix,
109+/sbin/killall5 ixr,
110+/usr/bin/expr ixr,
111+/usr/bin/chmod ixr,
112+/bin/chmod ixr,
113+/proc/ r,
114+/proc/*/stat r,
115+/proc/*/cmdline r,
116+/sys/bus/ r,
117+/sys/class/ r,
118+/sys/class/input/ r,
119+/sys/class/drm/ r,
120+/etc/udev/udev.conf r,
121+capability sys_ptrace,
122+capability chown,
123+capability fowner,
124+capability sys_ptrace,
125+}
126
127=== added file 'overlay/meta/mir.seccomp'
128--- overlay/meta/mir.seccomp 1970-01-01 00:00:00 +0000
129+++ overlay/meta/mir.seccomp 2015-07-28 14:59:40 +0000
130@@ -0,0 +1,403 @@
131+sudo vi# Description: mir-compositor apparmor security profile
132+# Usage: Mir
133+access
134+accept
135+faccessat
136+
137+alarm
138+brk
139+bind
140+# ARM private syscalls
141+breakpoint
142+cacheflush
143+set_tls
144+usr26
145+usr32
146+
147+capget
148+
149+chdir
150+fchdir
151+
152+# We can't effectively block file perms due to open() with O_CREAT, so allow
153+# chmod until we have syscall arg filtering (LP: #1446748)
154+chmod
155+fchmod
156+fchmodat
157+
158+# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
159+# properly support chown, we need to have syscall arg filtering (LP: #1446748)
160+# and per-app UID/GIDs.
161+#chown
162+#chown32
163+#fchown
164+#fchown32
165+#fchownat
166+
167+# needed for chmod'ing the mir socket so apps can use
168+lchown
169+#lchown32
170+
171+clock_getres
172+clock_gettime
173+clock_nanosleep
174+clone
175+close
176+connect
177+creat
178+dup
179+dup2
180+dup3
181+epoll_create
182+epoll_create1
183+epoll_ctl
184+epoll_ctl_old
185+epoll_pwait
186+epoll_wait
187+epoll_wait_old
188+eventfd
189+eventfd2
190+execve
191+execveat
192+_exit
193+exit
194+exit_group
195+fallocate
196+
197+# requires CAP_SYS_ADMIN
198+#fanotify_init
199+#fanotify_mark
200+
201+fcntl
202+fcntl64
203+flock
204+fork
205+ftime
206+futex
207+get_mempolicy
208+get_robust_list
209+get_thread_area
210+getcpu
211+getcwd
212+getdents
213+getdents64
214+getegid
215+getegid32
216+geteuid
217+geteuid32
218+getgid
219+getgid32
220+getgroups
221+getgroups32
222+getitimer
223+getpgid
224+getpgrp
225+getpid
226+getppid
227+getpriority
228+getrandom
229+getresgid
230+getresgid32
231+getresuid
232+getresuid32
233+
234+getrlimit
235+ugetrlimit
236+
237+getrusage
238+getsid
239+getsockname
240+getsockopt
241+gettid
242+gettimeofday
243+getuid
244+getuid32
245+
246+getxattr
247+fgetxattr
248+lgetxattr
249+
250+inotify_add_watch
251+inotify_init
252+inotify_init1
253+inotify_rm_watch
254+
255+# Needed by shell
256+ioctl
257+
258+io_cancel
259+io_destroy
260+io_getevents
261+io_setup
262+io_submit
263+ioprio_get
264+# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
265+# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
266+#ioprio_set
267+
268+ipc
269+kill
270+link
271+linkat
272+listen
273+listxattr
274+llistxattr
275+flistxattr
276+
277+lseek
278+llseek
279+_llseek
280+lstat
281+lstat64
282+
283+madvise
284+fadvise64
285+fadvise64_64
286+arm_fadvise64_64
287+
288+mbind
289+mincore
290+mkdir
291+mkdirat
292+mlock
293+mlockall
294+mmap
295+mmap2
296+mprotect
297+
298+# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
299+#mq_getsetattr
300+#mq_notify
301+#mq_open
302+#mq_timedreceive
303+#mq_timedsend
304+#mq_unlink
305+
306+mremap
307+msgctl
308+msgget
309+msgrcv
310+msgsnd
311+msync
312+munlock
313+munlockall
314+munmap
315+
316+nanosleep
317+
318+# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
319+# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
320+# and allow this call
321+#nice
322+
323+# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
324+open
325+
326+openat
327+pause
328+pipe
329+pipe2
330+poll
331+ppoll
332+
333+# LP: #1446748 - support syscall arg filtering
334+prctl
335+arch_prctl
336+
337+read
338+pread
339+pread64
340+preadv
341+readv
342+
343+readahead
344+readdir
345+readlink
346+readlinkat
347+recvmsg
348+remap_file_pages
349+
350+removexattr
351+fremovexattr
352+lremovexattr
353+
354+rename
355+renameat
356+renameat2
357+
358+# The man page says this shouldn't be needed, but we've seen denials for it
359+# in the wild
360+restart_syscall
361+
362+rmdir
363+rt_sigaction
364+rt_sigpending
365+rt_sigprocmask
366+rt_sigqueueinfo
367+rt_sigreturn
368+rt_sigsuspend
369+rt_sigtimedwait
370+rt_tgsigqueueinfo
371+sched_getaffinity
372+sched_getattr
373+sched_getparam
374+sched_get_priority_max
375+sched_get_priority_min
376+sched_getscheduler
377+sched_rr_get_interval
378+# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
379+# app may only change its own scheduler
380+sched_setscheduler
381+
382+sched_yield
383+
384+select
385+_newselect
386+pselect
387+pselect6
388+
389+semctl
390+semget
391+semop
392+semtimedop
393+sendfile
394+sendfile64
395+sendmsg
396+sendto
397+
398+# snappy doesn't currently support per-app UID/GIDs so don't allow this family
399+# of syscalls. To properly support these, we need to have syscall arg filtering
400+# (LP: #1446748) and per-app UID/GIDs.
401+#setgid
402+#setgid32
403+#setgroups
404+#setgroups32
405+#setregid
406+#setregid32
407+#setresgid
408+#setresgid32
409+#setresuid
410+#setresuid32
411+#setreuid
412+#setreuid32
413+#setuid
414+#setuid32
415+
416+# These break isolation but are common and can't be mediated at the seccomp
417+# level with arg filtering
418+setpgid
419+setpgrp
420+
421+set_thread_area
422+setitimer
423+
424+# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
425+# limits
426+setrlimit
427+prlimit64
428+
429+set_mempolicy
430+set_robust_list
431+setsid
432+set_tid_address
433+setsockopt
434+setxattr
435+fsetxattr
436+lsetxattr
437+
438+shmat
439+shmctl
440+shmdt
441+shmget
442+signal
443+sigaction
444+signalfd
445+signalfd4
446+sigaltstack
447+sigpending
448+sigprocmask
449+sigreturn
450+sigsuspend
451+sigtimedwait
452+sigwaitinfo
453+socket
454+socketpair
455+splice
456+
457+stat
458+stat64
459+fstat
460+fstat64
461+fstatat64
462+lstat
463+newfstatat
464+oldfstat
465+oldlstat
466+oldstat
467+
468+statfs
469+statfs64
470+fstatfs
471+fstatfs64
472+statvfs
473+fstatvfs
474+ustat
475+
476+symlink
477+symlinkat
478+
479+sync
480+sync_file_range
481+sync_file_range2
482+arm_sync_file_range
483+fdatasync
484+fsync
485+syncfs
486+sysinfo
487+syslog
488+tee
489+tgkill
490+time
491+timer_create
492+timer_delete
493+timer_getoverrun
494+timer_gettime
495+timer_settime
496+timerfd_create
497+timerfd_gettime
498+timerfd_settime
499+times
500+tkill
501+
502+truncate
503+truncate64
504+ftruncate
505+ftruncate64
506+
507+umask
508+
509+uname
510+olduname
511+oldolduname
512+
513+unlink
514+unlinkat
515+
516+utime
517+utimensat
518+utimes
519+futimesat
520+
521+vfork
522+vmsplice
523+wait4
524+oldwait4
525+waitpid
526+waitid
527+
528+write
529+writev
530+pwrite
531+pwrite64
532+pwritev
533+
534
535=== added file 'overlay/meta/mirdemosvr.apparmor'
536--- overlay/meta/mirdemosvr.apparmor 1970-01-01 00:00:00 +0000
537+++ overlay/meta/mirdemosvr.apparmor 2015-07-28 14:59:40 +0000
538@@ -0,0 +1,45 @@
539+# Description: mir-demo-server apparmor security profile
540+# Usage: Mir
541+
542+#include <tunables/global>
543+
544+# Specified profile variables
545+###VAR###
546+
547+###PROFILEATTACH### (attach_disconnected) {
548+ #include <abstractions/base>
549+ #include <abstractions/nameservice>
550+
551+ # Read-only for the install directory
552+ @{CLICK_DIR}/@{APP_PKGNAME}/ r,
553+ @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
554+ @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
555+
556+ # Writable home area
557+ owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/ rw,
558+ owner @{HOMEDIRS}/apps/@{APP_PKGNAME}/** mrwklix,
559+
560+ # Read-only system area for other versions
561+ /var/lib/apps/@{APP_PKGNAME}/ r,
562+ /var/lib/apps/@{APP_PKGNAME}/** mrkix,
563+
564+ # Writable system area only for this version.
565+ /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
566+ /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
567+
568+# ... specialized confinement ...
569+# Socket to talk on
570+/run/mir_socket rw,
571+
572+# Hardware acceleration
573+/dev/dri/card0 rw,
574+
575+# For non-opengl apps
576+/dev/shm/\#* rw,
577+
578+# udev
579+/sys/devices/*/*/*/uevent rw,
580+/sys/devices/*/*/*/drm/card0/uevent rw,
581+/sys/bus r,
582+/sys/class r,
583+}
584
585=== added file 'overlay/meta/mirdemosvr.seccomp'
586--- overlay/meta/mirdemosvr.seccomp 1970-01-01 00:00:00 +0000
587+++ overlay/meta/mirdemosvr.seccomp 2015-07-28 14:59:40 +0000
588@@ -0,0 +1,393 @@
589+# Description: mir-demo-server apparmor security profile
590+# Usage: Mir
591+access
592+accept
593+faccessat
594+
595+alarm
596+brk
597+
598+# ARM private syscalls
599+breakpoint
600+cacheflush
601+set_tls
602+usr26
603+usr32
604+
605+capget
606+
607+chdir
608+fchdir
609+
610+# We can't effectively block file perms due to open() with O_CREAT, so allow
611+# chmod until we have syscall arg filtering (LP: #1446748)
612+chmod
613+fchmod
614+fchmodat
615+
616+# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
617+# properly support chown, we need to have syscall arg filtering (LP: #1446748)
618+# and per-app UID/GIDs.
619+#chown
620+#chown32
621+#fchown
622+#fchown32
623+#fchownat
624+#lchown
625+#lchown32
626+
627+clock_getres
628+clock_gettime
629+clock_nanosleep
630+clone
631+close
632+creat
633+dup
634+dup2
635+dup3
636+epoll_create
637+epoll_create1
638+epoll_ctl
639+epoll_ctl_old
640+epoll_pwait
641+epoll_wait
642+epoll_wait_old
643+eventfd
644+eventfd2
645+execve
646+execveat
647+_exit
648+exit
649+exit_group
650+fallocate
651+
652+# requires CAP_SYS_ADMIN
653+#fanotify_init
654+#fanotify_mark
655+
656+fcntl
657+fcntl64
658+flock
659+fork
660+ftime
661+futex
662+get_mempolicy
663+get_robust_list
664+get_thread_area
665+getcpu
666+getcwd
667+getdents
668+getdents64
669+getegid
670+getegid32
671+geteuid
672+geteuid32
673+getgid
674+getgid32
675+getgroups
676+getgroups32
677+getitimer
678+getpgid
679+getpgrp
680+getpid
681+getppid
682+getpriority
683+getrandom
684+getresgid
685+getresgid32
686+getresuid
687+getresuid32
688+
689+getrlimit
690+ugetrlimit
691+
692+getrusage
693+getsid
694+gettid
695+gettimeofday
696+getuid
697+getuid32
698+
699+getxattr
700+fgetxattr
701+lgetxattr
702+
703+inotify_add_watch
704+inotify_init
705+inotify_init1
706+inotify_rm_watch
707+
708+# Needed by shell
709+ioctl
710+
711+io_cancel
712+io_destroy
713+io_getevents
714+io_setup
715+io_submit
716+ioprio_get
717+# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
718+# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
719+#ioprio_set
720+
721+ipc
722+kill
723+link
724+linkat
725+
726+listxattr
727+llistxattr
728+flistxattr
729+
730+lseek
731+llseek
732+_llseek
733+lstat
734+lstat64
735+
736+madvise
737+fadvise64
738+fadvise64_64
739+arm_fadvise64_64
740+
741+mbind
742+mincore
743+mkdir
744+mkdirat
745+mlock
746+mlockall
747+mmap
748+mmap2
749+mprotect
750+
751+# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
752+#mq_getsetattr
753+#mq_notify
754+#mq_open
755+#mq_timedreceive
756+#mq_timedsend
757+#mq_unlink
758+
759+mremap
760+msgctl
761+msgget
762+msgrcv
763+msgsnd
764+msync
765+munlock
766+munlockall
767+munmap
768+
769+nanosleep
770+
771+# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
772+# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
773+# and allow this call
774+#nice
775+
776+# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
777+open
778+
779+openat
780+pause
781+pipe
782+pipe2
783+poll
784+ppoll
785+
786+# LP: #1446748 - support syscall arg filtering
787+prctl
788+arch_prctl
789+
790+read
791+pread
792+pread64
793+preadv
794+readv
795+
796+readahead
797+readdir
798+readlink
799+readlinkat
800+remap_file_pages
801+
802+removexattr
803+fremovexattr
804+lremovexattr
805+
806+rename
807+renameat
808+renameat2
809+
810+# The man page says this shouldn't be needed, but we've seen denials for it
811+# in the wild
812+restart_syscall
813+
814+rmdir
815+rt_sigaction
816+rt_sigpending
817+rt_sigprocmask
818+rt_sigqueueinfo
819+rt_sigreturn
820+rt_sigsuspend
821+rt_sigtimedwait
822+rt_tgsigqueueinfo
823+sched_getaffinity
824+sched_getattr
825+sched_getparam
826+sched_get_priority_max
827+sched_get_priority_min
828+sched_getscheduler
829+sched_rr_get_interval
830+# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
831+# app may only change its own scheduler
832+sched_setscheduler
833+
834+sched_yield
835+
836+select
837+_newselect
838+pselect
839+pselect6
840+
841+semctl
842+semget
843+semop
844+semtimedop
845+sendfile
846+sendfile64
847+
848+# snappy doesn't currently support per-app UID/GIDs so don't allow this family
849+# of syscalls. To properly support these, we need to have syscall arg filtering
850+# (LP: #1446748) and per-app UID/GIDs.
851+#setgid
852+#setgid32
853+#setgroups
854+#setgroups32
855+#setregid
856+#setregid32
857+#setresgid
858+#setresgid32
859+#setresuid
860+#setresuid32
861+#setreuid
862+#setreuid32
863+#setuid
864+#setuid32
865+
866+# These break isolation but are common and can't be mediated at the seccomp
867+# level with arg filtering
868+setpgid
869+setpgrp
870+
871+set_thread_area
872+setitimer
873+
874+# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
875+# limits
876+setrlimit
877+prlimit64
878+
879+set_mempolicy
880+set_robust_list
881+setsid
882+set_tid_address
883+
884+setxattr
885+fsetxattr
886+lsetxattr
887+
888+shmat
889+shmctl
890+shmdt
891+shmget
892+signal
893+sigaction
894+signalfd
895+signalfd4
896+sigaltstack
897+sigpending
898+sigprocmask
899+sigreturn
900+sigsuspend
901+sigtimedwait
902+sigwaitinfo
903+splice
904+
905+stat
906+stat64
907+fstat
908+fstat64
909+fstatat64
910+lstat
911+newfstatat
912+oldfstat
913+oldlstat
914+oldstat
915+
916+statfs
917+statfs64
918+fstatfs
919+fstatfs64
920+statvfs
921+fstatvfs
922+ustat
923+
924+symlink
925+symlinkat
926+
927+sync
928+sync_file_range
929+sync_file_range2
930+arm_sync_file_range
931+fdatasync
932+fsync
933+syncfs
934+sysinfo
935+syslog
936+tee
937+tgkill
938+time
939+timer_create
940+timer_delete
941+timer_getoverrun
942+timer_gettime
943+timer_settime
944+timerfd_create
945+timerfd_gettime
946+timerfd_settime
947+times
948+tkill
949+
950+truncate
951+truncate64
952+ftruncate
953+ftruncate64
954+
955+umask
956+
957+uname
958+olduname
959+oldolduname
960+
961+unlink
962+unlinkat
963+
964+utime
965+utimensat
966+utimes
967+futimesat
968+
969+vfork
970+vmsplice
971+wait4
972+oldwait4
973+waitpid
974+waitid
975+
976+write
977+writev
978+pwrite
979+pwrite64
980+pwritev
981+
982
983=== modified file 'overlay/meta/package.yaml'
984--- overlay/meta/package.yaml 2015-06-11 21:18:28 +0000
985+++ overlay/meta/package.yaml 2015-07-28 14:59:40 +0000
986@@ -8,4 +8,12 @@
987 - name: system-compositor
988 description: "system compositor"
989 start: bin/server
990- security-template: unconfined
991+ security-policy:
992+ apparmor: ./meta/mir.apparmor
993+ seccomp: ./meta/mir.seccomp
994+binaries:
995+ - name: mir_demo_server
996+ exec: debs/usr/bin/mir_demo_server
997+ security-policy:
998+ apparmor: ./meta/mirdemosvr.apparmor
999+ seccomp: ./meta/mirdemosvr.seccomp

Subscribers

People subscribed via source and target branches